Build a security protection forest for Windows 2000 Servers

Author: Zhang Xiaoming
Windows 2000 is widely used as the server operating system for campus networks in primary and secondary schools. However, some schools have been attacked by cyber hackers since they started running, causing network crashes. So how to solve the security problem? In fact, without any hardware or software intervention, we can build a security protection forest by the system itself.

Set disable to build the first line of defense

Install the latest system patch after installing Windows 2000. But even if it is installed on any machine on the internet, you only need to enter "\ your IP address \ c", then enter the user name Guest, and the password is blank, then you can enter your c drive, you are completely exposed. The solution is to disable the Guest account, set a secure password for the Administrator, and set the share of each drive to not share. In addition, you need to disable services that are not needed. You can set them to disabled in the management tools service, but you must be cautious when reminding that some services cannot be disabled. Services that can be disabled include Telnet, Task Scheduler (allow programs to run at a specified time), and Remote Registry Service (Allow Remote Registry operations. This is the first line of defense for your server.

Set IIS to build the second line of defense

As a campus network server, many schools use this server as a website server at the same time, and the IIS vulnerability is also a thorny problem. In fact, you can simply set up to completely fix website vulnerabilities. You can stop all the default IIS services (you do not need the FTP service. If you need it, we recommend using Serv-U; "managing Web sites" and "Default Web sites" will cause you trouble; SMTP is generally not used), and then a new Web site will be created.

After setting the general content, set the application ing in the "Properties> main directory" configuration and delete unnecessary mappings (2). These mappings are the direct cause of IIS attacks. If you need CGI and PHP, you can refer to some documents for configuration.

In this way, with the conventional settings, your IIS can run securely, and your server has a second line of defense.

Use a scanner to block Security Vulnerabilities

To comprehensively solve security problems, you need to scan the program for help. X-Scan is recommended to help you detect server security issues.

After scanning, you need to check whether there is a Password Vulnerability. If yes, you need to change the password settings immediately. If yes, check the IIS settings. Other vulnerabilities are rarely found. I would like to remind you to note the opened ports. You can record the ports that have been scanned for further settings.

Port blocking to comprehensively build defense lines

Hackers mostly intrude through ports, so your server can only open the ports you need. What ports do you need? The following are common ports that you can choose as needed:

80 is a Web site service, 21 is an FTP service, 25 is an E-mail SMTP service, and 110 is an e-mail POP3 service.

For more information, see SQL Server port 1433. Disable unnecessary ports! To close these ports, we can use the security policy of Windows 2000.

With its security policy, it can completely prevent intruders from attacking. You can go to "Administrative Tools> Local Security Policy", right-click "IP Security Policy", select "create IP Security Policy", and click [next]. Enter the name of the Security Policy, click [next], and then you will create a security policy:

Next, you need to right-click "IP Security Policy" to go to manage IP filters and filters. In the manage IP filters list, you can add ports to be blocked, here, we use the case of Disabling ICMP and 139 ports.

If ICMP is disabled, hackers cannot scan your machine or Ping your machine without the force scan function. To Disable ICMP, click [add], enter "Disable ICMP" in the name, click [add] on the right, and then click [next]. Select "any IP Address" from the source address and click [next]. Select "my IP Address" from the target address and click [next]. Select "ICMP" in the protocol and click [next]. Return to the "Close ICMP attribute" window to close ICMP.

Next we will set to disable 139. Also, click "add" in the management IP Filter list and set the name to "Disable 139". Click "add" on the right and click [next]. Select "any IP Address" from the source address and click [next]. Select "my IP Address" from the target address and click [next]. Select "TCP" in the protocol and click [next]. In the set IP protocol port, select any port to this port, enter 139 in this port, and click Next. That is, close port 139, and set other ports as well.

It is particularly pointed out that disabling UDP4000 can prohibit machines in the campus network from using QQ.

Next, go to the settings management filter operation, click "add", click "Next", enter "reject" in the name, and click "Next. Select "Block" and click [next].

Close this property page, right-click the newly created IP Security Policy "security", and open the property page. Select "add" in the rule and click [next]. Select "this rule does not specify a tunnel" and click Next. Select "all network connections" in "select network type" and click "Next. Select "Disable ICMP" in the IP Filter list and click [next]. In the filter operation, select "deny" and click Next. In this way, you can add the "Disable ICMP" filter to the IP Security Policy named "security. In the same way, you can add other filters such as "Disable 139.

The last thing to do is assign this policy. It takes effect only after it is assigned. Right-click "security", select "all tasks" from the menu, and select "Assign ". The IP Security Settings end here. You can set the corresponding policies based on your own situation.

After the configuration is complete, you can use X-Scan to check and fix the problem.

With the preceding settings, your Windows 2000 Server is very secure. We hope that you can build the server security protection forest as soon as possible.